Data Breach Affects 2.2M Cancer Patients

When patients are undergoing treatment for potentially life-threatening illnesses, the last thing they need to worry about is identity theft. Unfortunately, that’s no longer the case for 2.2 million individuals whose identifying information was stolen in a breach of 21st Century Oncology.

The FBI recently informed the Florida-based medical center that a database of their records—including Social Security numbers for their patients—had been accessed by an unauthorized third-party. Hospitals, doctors’ offices, and medical centers seem to be a hot commodity for hackers, and it’s not hard to see why.

Anyone who’s ever been handed a clipboard full of forms to fill out knows that those locations collect a high volume of information on their patients, as well as the patients’ spouses or parents if those individuals are responsible for paying the medical bills. Also, given that patients also supply their insurance information—which was stolen in this data breach as well—the sheer volume of information on patients and their family members makes it very easy to steal their identities.

There are three crucial things to take away from this event:

The oncology center itself wasn’t aware of the breach until the FBI noted it months after it occurred. That means the patients’ identities could very well have already been stolen and used illegally, long before anyone even discovered it. That’s why it’s essential for all consumers to treat their identities as if identity theft might have already occurred; monitor your credit reports routinely in order to be on the lookout for any suspicious activity. One way to get an ongoing look at your credit is to space apart your reports. All consumers are entitled to one free report each year from each of the three credit reporting agencies. If you routinely order one report in January, a different report in May, and another report in September, you will get a more complete look at your credit report than if you order the reports all at the same time.

If you receive a notification letter informing you of a data breach or hacking event, it’s critical that you take it seriously and follow the instructions in the letter. If the nature of the event was so severe—meaning the type of information thieves stole—that you’re offered free credit monitoring, don’t throw away that letter! The letter will contain the contact information and the PIN number you will need to sign up for the service. The letter also serves as proof that your identity has been compromised, which could be useful if the thief actually uses your identity. While you would not be responsible for financial charges that are discovered early enough, there are many other ways that identity theft can hurt you. For example, criminal identity theft in which the thief has provided your name and information at the time of arrest, benefits fraud when the thief applies for benefits in your name (thereby defrauding the government), or more. Your notification letter serves as a layer of proof that someone else had access to your identity.

Finally, data breaches—especially of medical centers—should serve as a warning about the need to safeguard your information more carefully. Do not simply hand over your personal identifiable information just because a form on a clipboard asks for it. In many cases, there is minimal need for your doctor to have your Social Security number, and it’s actually not allowed to be used as an identification number. Be mindful of the places you share that single detail with (as well as other identifiers, like your mother’s maiden name or the town where you were born), and refuse to turn it over if they cannot demonstrate a clear need for it.

Anyone can be a victim of identity theft, anyone can use our services and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.